Securing your ASP.NET Core 3+ API using ASP.NET Identity (edit)

https://medium.com/swlh/securing-your-net-core-3-api-using-identity-93d6426d6311

https://github.com/alopes2/Medium-MyMusic-Identity

ASP.NET Identity (MVC) (edit)

1) Introduction to ASP.NET Identity
https://docs.microsoft.com/en-us/aspnet/identity/overview/getting-started/introduction-to-aspnet-identity

2) ASP.NET Identity Stripped Bare - MVC Part 1 + ASP.NET Identity Stripped Bare - MVC Part 2
https://benfoster.io/blog/aspnet-identity-stripped-bare-mvc-part-1
https://benfoster.io/blog/aspnet-identity-stripped-bare-mvc-part-2
NakedIdentity-master.zip

3) ASP.NET Identity Tutorial – OWIN Authentication Middleware
https://www.tektutorialshub.com/asp-net/asp-net-identity-tutorial-owin-setup/
AspNetMVCIdentityOWIN.rar

4) Securing ASP.NET MVC Applications with ASP.NET Identity
https://www.codeguru.com/csharp/.net/net_asp/mvc/securing-asp.net-mvc-applications-with-asp.net-identity.htm

OWIN Authentication middleware: It has dependencies on the following packages

Microsoft.Owin
The Microsoft.Owin namespace contains classes that support OWIN collection. The class Provides a set of helper types and abstractions for simplifying the creation of OWIN Components

Microsoft.Owin.Security

Microsoft.Owin.Security.Cookies
This Middleware that adds the cookie-based authentication to the application. This is similar to ASP.NET’s forms authentication

Microsoft.Owin.Security.OAuth
Middleware that enables an application to support any standard OAuth 2.0 authentication workflow

5) A workshop for moving through the various new pieces in ASP.NET Core Authorization
https://github.com/blowdart/AspNetAuthorizationWorkshop

6) Authorization
https://github.com/aspnet/AspNetCore.Docs/tree/master/aspnetcore/security/authorization/secure-data/samples/

7) OAuth providers for Owin - OWIN OAuth Providers (jerrie@jerriepelser.com)
https://github.com/TerribleDev/OwinOAuthProviders

ASP.NET Identity Recommended Resources - ASP.NET 4.x | Microsoft Docs

https://docs.microsoft.com/en-us/aspnet/identity/overview/getting-started/aspnet-identity-recommended-resources

ASP.NET Identity (edit)

https://bytutorial.com/blogs/asp-net-mvc/aspnet-mvc-identity-without-using-entity-framework

https://www.pluralsight.com/guides/configuring-asp-net-identity

https://www.c-sharpcorner.com/article/Asp-Net-mvc-5-integrating-existing-database-with-login-usin/

https://www.asmak9.com/2016/04/aspnet-mvc5-role-base-accessibility.html

https://www.codeproject.com/Articles/1075956/ASP-NET-MVC-User-Role-Base-Menu-Management-Using-W

Claims (edit)

_Header.cshtml 

@using Microsoft.AspNet.Identity
@using System.Security.Claims
@using WebApp.Mvc.Helpers

@{
    var Fullname = string.Empty;
    var claimsIdentity = User.Identity as System.Security.Claims.ClaimsIdentity;

    if (claimsIdentity != null)
    {
        var userData = claimsIdentity.FindFirst(System.Security.Claims.ClaimTypes.UserData);
        if (userData != null)
        {
            var userBase = JsonUtils.DeserializeObject<UserBase>(userData.Value);
            if (userBase != null)
            {
                Fullname = userBase.Fullname;
            }
       }
    }
}

https://stackoverflow.com/questions/39125347/how-to-get-claim-inside-asp-net-core-razor-view

https://stackoverflow.com/questions/19524050/get-a-user-claim-in-asp-net-mvc-4-razor-view/19526229

    @{
        var claimsIdentity = User.Identity as System.Security.Claims.ClaimsIdentity;

        if (claimsIdentity != null)
        {
            var c = claimsIdentity.FindFirst(System.Security.Claims.ClaimTypes.NameIdentifier);

            if (c != null)
            {
             <p>
                 @c.Type.ToString(); 
                 @c.Value.ToString();
             </p>   
            }
        }
    }

Implement ASP.NET Security (edit)

Basically:

1. Make a new user
2. Make a new role
3. Make a new Claim
4. Add Claim to Role
5. Add User to Role
6. Make a new Policy with claim (during configure services)
7. Check for user being authorized for policy

SQL Insert

https://stackoverflow.com/questions/41513890/creating-asp-net-identity-user-using-sql

How to create 100 users

https://stackoverflow.com/questions/41435437/creating-test-users-with-password-hash-in-asp-net-identity-2-2-1

public async Task CreateTestUsers() {

    var db = new ApplicationDbContext();
    var userStore = new UserStore<ApplicationUser>(db);
    var userManager = new ApplcationUserManager(userStore);

    for (var i = 1; i <= 100; i++) {
        var username = "User" + i;

        var user = db.Users.FirstOrDefault(u => u.UserName == username);
        if (user == null) {
            user = new ApplicationUser() {
                            UserName = username,
                            Email = username + "@" + username + "." + username,
                            EmailConfirmed = true,
                            LockoutEnabled = false
                        };

            var password = username;
            var result = await userManager.CreateAsync(user, password);
        }
    }
}

ASP.NET Web Security: Protect User Passwords with Hashing and Salt

http://www.itprotoday.com/web-development/aspnet-web-security-protect-user-passwords-hashing-and-salt

https://www.codeproject.com/Articles/844722/Hashing-Passwords-using-ASP-NETs-Crypto-Class

http://www.c-sharpcorner.com/article/hashing-passwords-in-net-core-with-tips/

http://www.c-sharpcorner.com/UploadFile/145c93/save-password-using-salted-hashing/

ASP.NET Web Security: Protect User Passwords with Hashing and Salt - Unit Test

using System;
using System.Data.SqlClient;
using System.Security.Cryptography;
using System.Text;

namespace ConsoleApp1
{
internal class Utils
{
public static Boolean ValidatePassword(String enteredPassword, String storedHash, String storedSalt)
{
// Consider this function as an internal function where parameters like
// storedHash and storedSalt are read from the database and then passed.

var hash = HashPassword(enteredPassword, storedSalt);
return String.Equals(storedHash, hash);
}

public static String HashPassword(String password, String salt)
{
var combinedPassword = String.Concat(password, salt);
var sha256 = new SHA256Managed();
var bytes = Encoding.UTF8.GetBytes(combinedPassword);
var hash = sha256.ComputeHash(bytes);
return Convert.ToBase64String(hash);
}

public static String GetRandomSalt(Int32 size = 12)
{
var random = new RNGCryptoServiceProvider();
var salt = new Byte[size];
random.GetBytes(salt);
return Convert.ToBase64String(salt);
}
}

internal class Program
{
private static void Main(string[] args)
{
var defaultAccountLockoutTimeSpan = TimeSpan.FromMinutes(15);
var lockoutEndDate = new DateTimeOffset(DateTime.Now + defaultAccountLockoutTimeSpan);

Console.WriteLine(lockoutEndDate);

const string email = "manhnv8383@gmail.com";
const string password = "Abc@123";

var salt = Utils.GetRandomSalt();

var passwordHash = Utils.HashPassword(password, salt);

using (var conn = new SqlConnection("Server=192.168.2.26;Database=IdentityServerDb;user id=sa;password=123456;"))
{
const string newUserSql = "INSERT INTO \"AspNetUsers\" (\"Id\", \"AccessFailedCount\", \"ConcurrencyStamp\", \"Email\", \"EmailConfirmed\", \"LockoutEnabled\", \"LockoutEnd\", \"NormalizedEmail\", \"NormalizedUserName\", \"PasswordHash\", \"PhoneNumber\", \"PhoneNumberConfirmed\", \"SecurityStamp\", \"TwoFactorEnabled\", \"UserName\") VALUES (@p0, @p1, @p2, @p3, @p4, @p5, @p6, @p7, @p8, @p9, @p10, @p11, @p12, @p13, @p14);";

using (var insertCommand = new SqlCommand(newUserSql, conn))
{
insertCommand.Parameters.AddWithValue("@p0", Guid.NewGuid()); //Id
insertCommand.Parameters.AddWithValue("@p1", 0); //AccessFailedCount
insertCommand.Parameters.AddWithValue("@p2", Guid.NewGuid()); //ConcurrencyStamp
insertCommand.Parameters.AddWithValue("@p3", email); //Email
insertCommand.Parameters.AddWithValue("@p4", 0); //EmailConfirmed
insertCommand.Parameters.AddWithValue("@p5", 0); //LockoutEnabled
insertCommand.Parameters.AddWithValue("@p6", lockoutEndDate); //LockoutEnd
insertCommand.Parameters.AddWithValue("@p7", email.ToUpper()); //NormalizedEmail
insertCommand.Parameters.AddWithValue("@p8", email.ToUpper()); //NormalizedUserName
insertCommand.Parameters.AddWithValue("@p9", passwordHash); //PasswordHash
insertCommand.Parameters.AddWithValue("@p10", DBNull.Value); //PhoneNumber
insertCommand.Parameters.AddWithValue("@p11", 0); //PhoneNumberConfirmed
insertCommand.Parameters.AddWithValue("@p12", Guid.NewGuid()); //SecurityStamp
insertCommand.Parameters.AddWithValue("@p13", 0); //TwoFactorEnabled
insertCommand.Parameters.AddWithValue("@p14", email); //UserName

conn.Open();

insertCommand.ExecuteNonQuery();
}
}
}
}
}